Multiple Barracuda appliances -- including its firewall, SSL VPN server, and load balancer devices – have security flaws that can be exploited by attackers to remotely access and gain shell-level access to the appliances.

That warning over hardcoded backdoor accounts, as well as a "critical SSH backdoor," was sounded Thursday in a security warning released by Austria-based information security consultancy SEC Consult.

In particular, SEC Consult said it had found multiple backdoor accounts -- hardcoded usernames and passwords -- built into some Barracuda products, including an account called "product," for which it had been able to crack the password and then gain full access to the system. That access allowed it to alter a MySQL database on the device "to add new users with administrative privileges to the appliance configuration," according to SEC Consult's security advisory. "Furthermore it was possible to enable diagnostic/debugging functionality which could be used to gain root access on the system (confirmed in Barracuda SSL VPN)." In other words, outsiders could remotely access and authenticate to a Barracuda SSL VPN, using SSH.

SEC Consult coordinated the release of its vulnerability warning with Barracuda Networks, which confirmed the vulnerabilities Wednesday, just two months after first being notified of the flaws, which for a vendor is a relatively speedy turnaround. In the case of the SSL VPN vulnerability, "our research has confirmed that an attacker with specific internal knowledge of the Barracuda appliances may be able to remotely log into a non-[privileged] account on the appliance from a small set of IP addresses. The vulnerabilities are the result of the default firewall configuration and default user accounts on the unit," Barracuda Networks said in a statement.

Barracuda recommended that all customers "immediately" update their Barracuda security definitions to v2.0.5, ensure the products' security definitions are set to "on," and check that they're using the most recent firmware. All vulnerable Internet-facing products using a previous security definitions version are at risk of being exploited.

But Barracuda's security advisory suggested that the new security definitions -- used by the devices' firmware -- wouldn't fully mitigate the SSH access threat on the SSL VPN server, noting that "while this update drastically minimizes potential attack vectors, our support department is available to answer any questions on fully disabling this functionality if support access is not desired." In fact, full mitigation requires disabling all SSH access, by disabling the SSH daemon built on the devices.

According to SEC Consult, however, the security definitions update still leaves three accounts on all devices -- cluster, remote, root -- which Barracuda told it are "essential for customer support and will not be removed." But SEC Consult warned that the password for the "root" account can be cracked, if it isn't sufficiently strong, and noted that although only Barracuda possesses the private key for the passwords for the "cluster" and "remote" accounts, this is a security problem. "This still leaves considerable risks to appliances as the password for the 'root' user might be crackable and the relevant private keys for the 'remote' user might be stolen from Barracuda Networks," said SEC Consult. "In secure environments it is highly undesirable to use appliances with backdoors built into them. Even if only the manufacturer can access them."

According to SEC Consult, one workaround is to "place the appliances behind a firewall and block any incoming traffic (local and Internet) to port 22," to block outside attempts to exploit the hardwired accounts.

SEC Consult has so far only detailed the Barracuda device vulnerabilities and related proof-of-concept exploit code in general terms, but promised to release full details soon. "URLs and other exploit code (passwords) have been removed from this advisory," said the company's warning. "A detailed advisory will be released within a month including the omitted information."

Security isn't necessarily the first thing people think of when they consider enterprise directories. But directories can be used in a number of ways to tighten and extend your organization's security. A Guide To Security And Enterprise Directories report, we examine enterprise directories—through the lens of Microsoft Active Directory -- and their potential as a solution for a wide array of security initiatives. (Free registration required.)

Welcome to
TechWeb, the IT professional's online resource for news coverage of the
information technology industry. We know technology news. Our mobile
and wireless news coverage moves as fast as wireless technology itself.
We follow all the devices you depend on to stay connected. Our software
coverage follows the multi-faceted software industry from every angle.
We've got a lock on network security and computer security issues.
We're all over the business of the Web--the Internet business--and the
engines that run it. We have our eyes and ears tuned to the players who
make and run the tools that tie us all together--Google, Microsoft,
eBay, Cisco, Yahoo, Oracle, Apple, Sony--and scores of others. And we
keep close tabs on the backbone of information technology, PC hardware.
We know PCs and Apple computers inside and out. We cover computer
technology, computer news, software news, search engine news, business
software, operating systems, and software development. Our coverage of
tech news includes a strong focus on the security business, its
attendant spyware and viruses, how security relates to wireless
technology and business networking and the security issues surrounding
RFID technology. We closely follow developments in Internet news and
Internet technology, including the spread of broadband and its effect
on Web browsers and the Web business. We watch the VoIP business, and
how VoIP technology is affecting the state of telephony in the
enterprise. And if all that isn't enough, we also track developments in
the IT industry that affect IT jobs, IT careers, and outsourcing.